This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Monitoring 2 interfaces on the same machine

0

Hi

I wish to use a machine with 2 interfaces, and transmit frames on one interface, to be received on the other interface via a switch.

I wish to capture the frames leaving and coming back on the 2 interfaces at the same time. The intention is to compare the two captures to test for jitter and latency across the switch.

I can run two instances of Wireshark side by side each monitoring a single interface to achieve this, but I find that when compared, some packets are time stamped as received before they were sent. I fear there is some skewing of data caused by the 2 programs competing for resources.

I suspect my results would be more stable if I could use one instance of wireshark to view the traffic from both interfaces. I know this is possible in most circumstances but it does not seem to display both sent and received copies of the same frame by default.

Can anyone help me?

asked 09 Oct '12, 06:55

Urumiko's gravatar image

Urumiko
1334
accept rate: 0%


2 Answers:

0

I wish to use a machine with 2 interfaces, and transmit frames on one interface, to be received on the other interface via a switch.

The packets will not leave the IP stack (not going to the witch), as the source and destination addresses are on the same machine. That might be the reason for the timestamp issue.

If you want the packets to leave, you need a second machine with NAT capabilities and or Port Forwarding. Something like this.

PC[1:1.1.1.5:45000] -- [1.1.1.1:8000] PC2 [2.2.2.2:45000] -- PC1[2.2.2.5:8080]

Your communication will be:

PC1 -> PC2:8080
PC2 will NAT/Port Forward the connection back to PC1, but different interface (IP)

Regards
Kurt

answered 09 Oct '12, 07:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt,

Thanks for your input but my packet generation software is generating raw Ethernet frames with correct MAC addresses. IP addresses are present but invalid. No IP is configured on the interfaces themselves. The frames are still delivered on the strength of the mac address, so I don't think your suggestion is correct?

(09 Oct '12, 23:33) Urumiko

without any further information about your software (how does it actually send the frames) it's impossible to give an advice. Can you please add more details?

(09 Oct '12, 23:43) Kurt Knochner ♦

0

Well, anyway, if you want to capture on 2 interfaces simultaneously you can use Wireshark 1.8.0+ which allows you to select 1 to N interfaces on which to do simultaneous captures.

Note, however, that with this method it is still possible for the frames to arrive out of order; actually my experience was that the timestamp was correct but Wireshark had received them out of order (I easily worked around that by sorting the frames by time). This was on Linux.

Another solution would be to use Linux and use the 'any' pseudodevice (which captures on all interfaces simultaneously).

But: if you're really interested in high-resolution time stamping, you may want to get a dedicated capture card (like those from Riverbed--Turbocap--or Endace).

answered 10 Oct '12, 05:58

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks Jeff that's pretty helpfull, i'll check it's not just a case of sorting by time-stamp.

Wow those riverbed devices look ideal, but well out of my price range. Do you know if there's a budget option? I really only need the time stamp down to a resolution of microseconds.

(10 Oct '12, 23:36) Urumiko

Honestly I don't know much about dedicated capture devices. Well, except that I thought that Riverbed's stuff was the budget option--but honestly I don't know.

(11 Oct '12, 07:28) JeffMorriss ♦